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(54) Key distribution for mobile network 

(57) A satellite mobile telecommunications system 
includes mobile terminals 2a. 2b which can communi- 
cate with one another using end-to end encryption and 
decryption techniques. When secure end-to-end com- 
munication is required, each terminal uses a common 
encryption code (RAND) to encode data and decode 
data transmitted between the terminals. The encryption 
code is transmitted in a secure manner from a remote 
database station (15) to the terminals. Each terminal 
stores a terminal l^ey (K^. K^) on its SIM card and the 
l<eys are also held in the remote station (15). Partial 
keys (Kpa. K^,) comprising the pseudo random number 
(RAND) and the keys Kg. stored at the station (15) 



are produced at the station (15) by an exclusive OR 
process in order to mask the keys and the random 
number. The partial key Kp^ = + (RAND) Is sent to 
terminal 2a. At the terminal 2a. the partial key Kpa is 
exclusive OR-ed with the locally stored terminal key 
on the SIM card, so as to recover (RAND). The comnfX}n 
code (RAND) is determined by the same process at ter- 
ntinal 2b. from Kp^^ = Kb+(RAND) and the locally 
stored key Kb- The terminals then both run a GSM 
encryption algorithm (A5) to encrypt and decrypt trans- 
mitted data, on the basis of the common code (RAND). 
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Description 

This invention relates to a method and apparatus 
for providing secure communication through a commu- 
nications network. 5 

Digital mobile voice communications systems are 
well known and one example is the GSM terrestrial cel- 
lular system. Others are the Inmarsat-M satellite tele- 
phone system, the IRIDIUM satellite cellular system 
desaibed in. for example. EP-A-0365885. the ICO 10 
satellite cellular system described in, for exanple. GB- 
A-2295296 or the ODYSSEY satellite cellular system 
described in. for example EP-A0510789. Since such 
systems operate over a wireless link, there is a risk of 
Interception of calls by unauthorised persons. is 

The GSM system Includes an optional encryption 
scheme described In. for example. "Security aspects 
and the implementation in the GSM-system"; Peter CJ. 
van der Arend. paper 4a. Conference Proceedings of 
the Digital Cellular Radio Conference (DCRC). October 20 
12th-l4th 1988. published by Deutsche Bundespost. 
France Telecom and Fernuniversitate. Greater detail is 
given In the following GSM recommendations: GSM 
02.09 "Security Aspects"; GSM03.20 "Security Related 
Algorithms". In this scheme, a database known as the 2S 
Authentication Centre (AuC) hoWs an individual encryp- 
tton key number (Kj) for each subscriber to the authenti- 
cation service, which is also stored on a chip known as 
the Subscriber Information Module (SIM) held in the 
subscriber's mobile terminal. The subscriber has no 30 
access to the data stored in the SIM and cannot read 
the key. 

Where a secure session is requested, a random 
number (RAND) is generated by the AuC and used, 
together with the customer's key (Kj). to calculate a 3S 
ciphering key (KJ used during the session for ciphering 
and deciphering messages to/from the subscriber. The 
random number is sent from the AuC to the subscriber's 
mobile terminal via the Base Transceiver Station (BTS). 
The mobile terminal passes the random number to the 40 
SIM, which calculates the ciphering key Kc using an 
algorithm termed A5, from the received random number 
and the stored key (K). Thus, the random number is 
sent over the air. but not the customer's key Kj or the 
ciphering key K^. 45 

The random number and the ciphering key Kc are 
fed to the Home Location Register (HLR) database of 
the GSM network, which stores details for the sub- 
scriber concerned, and are also sent to the Visiting 
Location Register (VLR) for the area where the user ter- so 
minal is currently located, and are supplied to the BTS 
via which the mobile Is communicating to the network. 

The ciphering key Kc is used, together with the cur- 
rent TDMA frame number,to Implement the AS ciphering 
algorithm in both the mobile terminal and the BTS so ss 
that data transmitted over the air interface between the 
mobile terminal and the BTS Is encrypted. Thus, the 
individual user key Kj is stored only at the authenticatfon 



centre and the SIM, where the ciphering key Kc is calcu- 
lated and fonwarded to the BTS and the mobile terminal. 

Whilst this scheme is adequate in many respects, it 
fails to provide complete security since it offers protec- 
tion only over the air transmission path. Thus, it is pos- 
sible for illicit access to be obtained by tanpering with 
the fixed part of the network. 

Accordingly, end-to-end encryption schemes have 
been proposed. Because the encryption runs from one 
user terminal to the other, across the whole communi- 
cations path and not just the air path, improved privacy 
is obtained. 

The t)asic problem In offering end-to-end encipher- 
ment of communications over a network is in providing 
each of the two users with the same, or each other's, 
secret key. In some applications, a group of terminals 
(for exanple all owned by a single body) may all have 
access to the same key. Whilst this provides privacy 
against personnel from outside the group, it is an incom- 
plete solution since it does npt provide privacy for com- 
munication between two terminals within the group and 
a third within the group. 

It is possible to employ public key encryption sys- 
tems, in which each terminal has a seaet decryption 
key and a non-secret encryption key. so that any other 
party can use the encryption key to encrypt data but 
only the recipient can decrypt data which has been 
encrypted using the put)lic encryption key. 

A communication system could be envisaged in 
which every user is provided with such a pair of keys, 
and in setting up a communication between a pair of 
users each sends the other its encryption key whilst 
keeping its decryption key secret. 

However, there is widespread public concern that 
the use of such techniques on a telecommunications 
network wouW allow criminals or terrorists to communi- 
cate using completely secure communications, free 
from any possibility of supervision. 

In our GB 96 1 141 1 .1 there is described an end-to- 
end enayption and decryption scheme in which the ter- 
minal keys that are stored in tfie terminals, are heW 
additionally in a remote "trusted tfiird party" database. 
In order to set up an encrypted transmission between a 
first and a second temiinal, each of them is provided 
from the remote location with a partial key which con- 
tains masked data concerning the key of the other ter- 
minal, derived from the stored data in the database. As 
a result, both terminals can be provWed with data that in 
combination with their own key stored at the terminal, 
enables them each to set up a common seaet code 
which can be used for end to end encryption and 
decryption through the network. 

A difficulty with this system arises when it is desired 
to set up secure conference calls between three or 
more terminals. Each terminal needs to be provided 
witii masked data concerning all the keys of the other 
terminals participating in the conference call so that 
th^ can each establish a common code, witii tiie result 
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that the partial keys and the final encryption code 
become long and cumbersome in dependence upon the 
number of participants. Also the risk of the code being 
ascertained by eavesdropping, from the long partial 
keys, is increased. 

The present invention provides a solution to these 
problems. The invention provides a method of distribut- 
ing through a communications network, enciphering key 
data to be used in encrypting and decrypting data at first 
and second terminals so as to provide secure data 
transmission between the terminals through the net- 
work, the terminals each storing corresponding first and 
second terminal keys, the method comprising: storing 
the first and second keys remotely of the terminals: gen- 
erating first and second partial keys each as a masked 
function of a common number and a corresponding one 
of said remotely stored keys: dispatching the first partial 
key towards the first terminal: and dispatching the sec- 
ond partial key towards the second terminal. 

The invention also provides a method of setting up 
a first terminal ttiat stores an individual terminal key. to 
encrypt data to be transmitted according to a secure 
encryption code through a communications network to 
second terminal where the data is to be decrypted, 
comprising receiving at the first terminal a partial key 
dispatched thereto through the network from a remote 
location, the partial key being a masked function of the 
individual terminal key and a number for determining 
the encryption code, and comparing at the terminal the 
received partial key and the stored key so as to provkJe 
the encryption code. 

The invention also extends to a method of setting 
up a second terminal that stores an individual terminal 
key, to deaypt data transmitted thereto according to a 
secure encryption code through a communications net- 
work from a first terminal where the data Is encrypted, 
comprising receiving at the second terminal a partial 
key dispatched thereto through the network from a 
remote location, the partial key being a masked function 
of the indivkdual terminal key and a number for deter- 
mining the code, and comparing at the second terminal 
the received partial key and the stored key so as to pro- 
vide data for deaypting the code. 

Thus in accordance with the invention, each termi- 
nal is provided with a partial key from the remote loca- 
tion that includes masked data concerning the terminal 
key of the terminal itself, without the need for key of the 
other terminal, so that the protocol can readily be 
expanded from communications between two terminals, 
to large numbers of terminals in conference calls with- 
out lengtinening the partial keys. 

One or more additional terminals may join in a call 
whilst it is in progress, either to expand a normal two 
party call into a three party conference call or to 
increase the number of parties in a conference call. To 
this end.ihe^ining party Is sent a masked version of its 
key so that it can determine the code, together with the 
frame number for the data transmission that is going on 



between the parties, so that the joining party can join in 
tiie transmitted data flow . 

The invention is envisaged for use in satellite 
mobile digital communications systems, and is also 

5 useful In corresponding ten-estrial digital mobile com- 
munication systems (e.g. in cellular systems such as 
the GSM system), or in fixed link communication sys- 
tems. The invention may also be practised in store-and- 
fonvard communication systems such as e-mail or the 

10 Internet. 

Brief description of the drawings - 

Errtoodiments of the Invention will now be 
15 described, by way of example only, with reference to the 
accompanying drawings, in which: 

Figure 1 Is a block diagram showing schematically 
the elements of a communication system embody- 

20 ing the present inveotion: 

Rgure 2 is a block diagram showing schematically 
the elements of mobile terminal equipment suitable 
for use witii the present invention: 
Rgure 3 Is a block diagram showing schematically 

2S the elements of an Earth station node fbrming part 
of the embodiment of Rgure 1 ; 
Rgure 4 is a block diagram showing schematically 
the elements of a gateway station forming part of 
the embodiment of Rgure 1 : 

30 Rgure 5 is a block diagram showing schematically 
the elements of a database station fbrming part of 
the embodiment of Rgure 1 : 
Rgure 6 illustrates the contents of a store forming 
part of tiie database station of Rgure 5; 

35 Rgure 7a illustrates schenDatically the beams pro- 
duced by a satellite in tiie embodiment of Rgure 1: 
Rgure 7b illustrates schematically tiie disposition of 
satellites forming part of Rgure 1 in orbits around 
the earth; 

40 Rgure 8 is a block diagram showing the signal flow 
between components of the handset of Rgure 2 in 
a first embodiment of the Invention; 
Rgure 9 is a schematic block diagram showing the 
flow of encryption data and signals between the 

45 components of Figure 1 in the first embodiment; 

Rgure 10 Is a ftow diagram showing schematically 
the process performed by the control and encipher- 
ing components of the handset of Rgure 8 in the 
first embodiment: 

so Rgure 11 is a ftow diagram showing schematically 
the process of operation of ttie earth station of Rg- 
ure 3 in the first embodiment. 
Rgure 12 is a flow diagram showing schematically 
the process of operation of the central database 

55 station of Figure 4 in the first embodiment; 

Rgure 13 Is a ftow diagram showing schematically 
the process of operation of a subscriber information 
module (SIM) heM within the handset of Figure 8 in 
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the first embodiment: 

Figure 14 Is a flow diagram illustrating schemati- 
cally the stages of security provided in a fourth 
embodiment of the invention; 
Figure 15 is a an illustrative diagram showing the s 
stages of formation of the enciphering key by a first 
handset terminal of Rgure 8; and 
Figure 16 is a corresponding illustrative diagram 
showing the process of formation of the enciphering 
key at a second such handset; io 
Figures 17a and b is a flow diagram modifying the 
operation of that of Figures 12 and 13 in the third 
embodiment of the invention; 
Figure 19a is a block diagram showing schemati- 
cally some of the functional elements present In the is 
handset of Figure 8 according to the fourth embod- 
iment of the Invention; 

Figure 19b is a block diagram showing schemati- 
cally some of the functional elements present in the 
database station of the fourth embodiment. so 
Figure 19c is a block diagram showing schemati- 
cally some of the functional elements present in the 
earth station of the fourth embodiment; 
Figure 20 (incorporating parts of Figure 10) is a flow 
diagram showing schematically the operation of a 2S 
handset according to the fourth embodiment; 
Figure 21 (Incorporating parts of Figure 1 1 ) is a flow 
diagram showing schematically the process of 
operation of an earth station according to the fourth 
embodiment; 

Figure 22 (incorporating parts of Figure 1 2) is a flow 
diagram showing schematically the operation of a 
database station according to the fourth embodi- 
ment; 

Figure 23 (incorpaating parts of Figure 1 3) Is a flow 3S 
diagram showing schematically the operation of a 
subscriber information module according to the 
fourth embodiment; and 

Figure 24 illustrates how embodiments of the inven- 
tion can be used for conference calls with more 4o 
than two user terminals. 



terminals 2. and accessible through the gateway sta- 
tions 8. 

A terminal location database station 15 is con- 
nected, via a signalling link 60 (e.g.within the channels 
14 of the dedicated network) to the gateway station and 
earth stations 6. 

The PSTNs 10a. lOb comprise, typically, local 
exchanges 16a, 16b to which the fixed terminal equip- 
ment 12a. 12b is connected via local loops 18a, 18b; and 
international switching centres 20a. 20b connectaWe 
one to another via transnational links 21 (for exanple. 
satellite links or subsea optical fibre cable links). The 
PSTNs 10a. 10b and fixed terminal equipment 12a, 12b 
(e.g telephone instruments) are well known and almost 
universally available today. 

Each mobile terminal apparatus is in communica- 
tion with a satellite 4 via a full duplex channel (in this 
embodiment) comprising a down link channel and an up ' 
link channel, for example (in each case) a TDMA time 
slot on a particular frequency allocated on initiation of a 
call, as disclosed in patent applications GB 2288913 
and GB 2293725. The satellites 4 in this embodiment 
are non geostationary and thus, periodteally. there Is 
hand over from one satellite 4 to another. 

Mobile terminal 2 



Detailed description 

Referring to Rgure 1. a satellite conrtmunications 45 
network according to this embodiment comprises 
mobile user terminal equipment 2a. 2b; orbiting relay 
satellites 4a. 4b. 4c; satellite earth station nodes 6a. 6b, 
6c; satellite system gateway stations 8a, 8b; public 
switched telecommunications networks 10a.10b; and so 
fixed telecommunications terminal equipment 12a.l2b. 

Interconnecting the satellite system gateways 8a, 
8b, 8c with the earth station nodes 6a, 6b. 6c and inter- 
connecting the nodes 6a. 6b. 6c with each other, is a 
dedicated ground-based network comprising channels ss 
14a.l4b.14c. The satellites 4. earth station nodes 6 and 
lines 14 make up the infrastructure of the satellite com- 
munications network, for communication with the mobile 



Refen-ing to Figure 2. the mobile terminal equip- 
ment of Figure 1 Is shown. One suitable form is a hand- 
set, as shown. Details of the handsets 2a,2b etc will not 
be described and are similar to those presently availa- 
ble for use with tiie GSM system, comprising a digital 
coder/decoder 30. together with conventional micro- 
phone 36. loudspeaker 34. battery 40. keypad compo- 
nents 38. a radio frequency (RE) interface 32 and 
antenna 31 suitable for satellite communications. Pref- 
erably a display 39. for example a liquid crystal display, 
is also provided. A 'smart card' reader 33 receiving a 
smart card (SIM) 35 storing user infomnation is also pro- 
vided. 

The coder/decoder (codec) 30 comprises a low bit 
rate coder, generating a speech bit sfream at around 3.6 
kilobits per second, together with a channel coder 
applying error conecting encoding, to generate an 
encoded bit stream at a rate of 4.8 kilobits per second. 
The low bit rate coder may. for example, be a linear pre- 
dictive coder such as a multiple pulse predictive coder 
(MPLPC), a code book excited linear predictive coder 
(CELP). or a residual excited linear predictive coder 
(RELP), Alternatively. It may emptoy some form of wave- 
form coding such as subband coding. 

The error protection encoding applied may employ 
block codes. BCH codes, Reed-Solomon codes, tuibo 
codes or convolutional codes. The codec 30 likewise 
comprises a corresponding channel decoder (e.g. usinc 
Viterbi or soft decision coding) and speech decoder. 

Also provkled is a control circuit 37 which may 
practtee be Integrated with the coder 30. consisting of a 
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suitably programmed microprocessor, microcontroller 
or digital signal processor (DSP) chip. 

The SIM 35 preferably complies with GSM Recom- 
mendatior^ 02.17 "Subscriber Identity Modules', and 
11.11 and is preferably implemented as an industry 
standard "Smart Card". The SIM 35 and reader 33 are 
therefore preferably as described in International Stand- 
ards ISO 7810. 7811 and 7816: these and GSM 02.17 
and 1 1 .11 are all incorporated herein by reference. 

Specifically, the SIM 35 includes a processor 35a 
and permanent memory 35b. The processor 35a is 
arranged to perform some encryption functions as 
desaibed In greater detail below. 

Earth Station Node 6 

The earth station nodes 6 are arranged for commu- 
nication with the satellites. 

Each earth station node 6 comprises, as shown In 
Figure 3. a conventional satellite earth station 22 con* 
sisting of at least one satellite tracking antenna 24 
arranged to track at least one moving satellite 4 RF 
power amplifiers 26a for supplying a signal to the 
antenna 24. and 26b for receiving a signal from the 
antenna 24: and a control unit 28 for staing the satellite 
ephemeris data, controlling the steering of the antenna 
24. and effecting any control of the satellite 4 that may 
be required (by signalling via the antenna 24 to the sat- 
ellite 4). 

The earth station node 6 further comprises a 
mobile satellite switching centre 42 comprising a net- 
work switch 44 connected to the trunk links 14 forming 
part of the dedicated network. A multiplexer 46 is 
arranged to receive switched calls from the switch 44 
and nmjitiplex them into a composite signal fbr supply to 
the amplifier 26 via a low bit-rate voice codec 50. The 
earth station node 6 also includes a local store 46 stor- 
ing details of each mobile terminal equipment 2a within 
the area served by the satellite 4 with which the node 6 
is in communication. 

Gateway 8 

Referring to Figure 4. the gateway stations 8a.8b 
comprise, in this embodiment, commercially available 
mobile switching centres (MSCs) of the type used in 
digital mobile cellular radio systems such as GSM sys- 
tems. They could alternatively comprise a part of an 
international or other exchange forming one of the 
PSTNs 10a. lOb operating under software control to 
interconnect the networks 10 with the satellite system 
trunk lines 14. 

The gateway stations 8 comprise a switch 70 
arranged to interconnect incoming PSTN lines from tiie 
PSTN 10 witii dedicated service lines 14 connected to 
one or more Earth station nodes 6. under control of a 
control unit 72. The control unit 72 is capable of commu- 
nicating with the data channel 60 connected to the data- 



base station 15 via a signalling unit 74, and is arranged 
to generate data messages in some suitable format 
(e.g. as packets or ATM cells). 

Also provided in the gateway stations 8 is a store 76 

5 storing billing, service and other information relating to 
those mobile terminals 2 for which the gateway station 8 
is the home gateway station. Data is written to the store 
76 by the control unit 72 after being received via the sig- 
nalling unit 74 or switch 70. from the PSTN 10 or the 

10 Earth station nodes 6 making up the satellite network. 
This store acts in the manner of a visitor location regis- 
ter (VLR) of a terrestrial GSM network, and a commer- 
dally available VLR may therefore be used as the store 
76. 

IS The satellite system trunk lines 1 4 comprise, in this 
embodiment, high quality leased lines meeting accepta- 
ble minimum criteria fbr signal degradation and delay. In 
this embodiment, all the lines 14 comprise terrestrial 
links. The trunk lines 14 are preferably dedicated lines. 

20 SO that the lines 14 foioi a separate set of physical 
channels to the networks 10. However, the use of virtual 
circuits through the networks 10 is not excluded. 

Database Station 15 

25 

Referring to Figure 5. the database station 15 com- 
prises a digital data store 54. a signalling circuit 56, a 
processor 58 interconnected with the signalling circuit 
56 and the store 54. and a signalling link 60 intercon- 
30 necting the database station 15 with the gateway sta- 
tions 8 and Earth stations 6 making up satellite system 
network, for signalling or data message communica- 
tions. 

The store 54 contains, for every subscriber terminal 

3S apparatus 2. a record showing the kJentity e.g. the Inter- 
national Mobile Subsaiber Wentity or IMSI: the current 
status of the terminal 2 (whether it is local" or "global" 
as will be disclosed in greater detail below): the geo- 
graphical position of the mobile terminal 2 (either in cb- 

40 ordinate geometry, or as code identifying an area within 
which it lies); the "home" gateway station 8 with which 
the apparatus is registered (to enable billing and otiier 
^ data to be collected at a single point) and the currentiy 
active Earth station node 6 with which the apparatus 2 

45 is In communication via the satellite 4. The contents of 
the store are indicated in Figure 6. 

Further, in this embodiment the store contains for 
each user a unique and individual enciphering key Ki. to 
be used as described t>elQw. 

so The signalling unit 56 and processor 58 are 
anranged to receive interrogating data messages, via 
the signalling circuit 60 which may be a packet switched 
connection, from gateways 8 or nodes 6. comprising 
data identifying one of the nxsbile terminals 2, fbr exam- 

55 pie. the telephone number of the equipment 2. and the 
processor 58 is arranged to search the store 54 for the 
status and active earth station node 6 of the terminal 2. 
and to transmit these in a reply message via the data 
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line 60. 

Thus, in this embodiment the database station 15 
acts to fulfil the functions both of a home location regis- 
ter (HLR) of a GSM system, and of an authentication 
centre (AuC) of a GSM system, and may be based on 
commercially available GSM products. 

Satellites 4 

The satellites 4a. 4b comprise generally conven- 
tional communications satellites, such as the known 
Hughes HS 601 model, and may include features as 
disclosed in GB 2288913. Each satellite 4 is arranged to 
generate an array of beams covering a footprint 
beneath the satellite, each beam including a number of 
different frequency channels and time slots as 
described in GB 2293725 and illustrated in Figure 7a 

The satellites 4 are arranged in a constellation in 
sufficient numbers and suitable orbits to cover a sub- 
stantial area of the globe, preferably to give full, contin- 
uous global coverage. For example 1 0 or more satellites 
may be provided in two mutually orthogonal intermedi- 
ate circular orbits at an altitude of, for example 10 500 
kilometres as shown in Figure 7b. However, larger num- 
bers of lower satellites may be used, as disclosed in EP 
0365885. or other publications relating to the Iridium 
system, for example. 



6 for which the satellites 4 are in communicatfon and 
the signalling line 60. 

The processor 58 of the database station 15 then 
calculates. e.g. on the basis of the differential arrival 
* times, the terrestrial position of the mobile terminal 
apparatus 2. which is stored in the database 54 Also 
stored IS the identity of the earth station node 6 most 
suitable for communicating with the mobile terminal 

t!^^^ ^ typically found 

w bv the processor 58 comparing the stored position of 
the termmal 2 with the predetermined stored positions 
of each of the earth station nodes 6 and selecting the 
nearest. However, account may also or instead be taken 
Of the strength of the signals received via the satellites 
IS 4, or of other factors such as network congestion, which 
may result, in borderline cases, in the choice of a node 
earth statton which is not geographically closest to the 
moMe terminal equipment 2. The identity of the allo- 
cated active earth station node 6 is then likewise stored 
20 in the store 54 in the record Jbr that terminal apparatus 



Call Set Up and Routing 



Registration and Location 

In one embodiment, a customer mobile terminal 
apparatus 2 may be registered wHh one of two distinct 
statuses; "local" in which the mobile terminal apparatus 
IS permitted only to communfoate through one local 
area, or part of the satellite system network, and -glo- 
bal", which entitles the apparatus to communicate 
through any part of the satellite system network. 

The status of each apparatus 2, i.e. "local" or "gfo- 
bal". IS stored in the record held for the apparatus 2 con- 
cerned in the store 54 of the database station is as 
shown in Figure 6. 

The mobile terminal apparatus 2 performs an auto- 
matic registration process, of the kind well known in the 
art of cellular terrestrial communications, on each occa- 
sion when the terminal 2 is uUlised for an outgoing call- 
and/or when the apparatus 2 is switched on: and/or 
periodically whilst the apparatus 2 is switched on. As is 
conventional, the registration process takes the form of 
the broadcasting of a signal identifying the mobile termi- 
nal 2 (e.g. by transmitting its telephone number on a 
common hailing or signalling frequency). 

The transmitted signal is picked up by one or more 
of the satellites 4. Under normal circumstances the sig- 
nal IS picked up by multiple satellites 4. and the received 
signal strength and/or time of arrival are transmitted 
together with the identity of the mobile apparatus 2 and 
the Identity of the satellite 4 receiving the signal, to the 
database station 15 via the earth station node or nodes 



P«»cesses of routing calls to and from mobile 
ss terminal apparatus 2 are described fully in GB-A- 
2295296 and PCT/GB95/01087. both of wWch are 
hereby incorporated fully by reference. Briefly, for a local 
user outside its area, a call placed to the user or from 
the user is referred to the database station which deter- 
30 mines that the user Is outside of its area and thereafter 
does not process the call. 

For a local user which is inside its area, in ttie pre- 
ferred embodiment described in the above referenced 
« Z!^ ^ International application, calls to or from the 
35 rnobHe user and a conventional terrestrial user con- 
nected to one of the PSTNs are set up over the satellite 
linK via the active earth station 6. the ground network 

fp"?T!lf telephone network 

(PSTN) from the nearest gateway 8 to the terrestrial 

For global users, calls are routed via the satellite 
and ttie active earth station, then via the ground net- 
work to the gateway station 8 nearest to the terrestrial 
user. 

« ^« numbers allocated to mobile users may 
have "International- prefixes followed by a code corre- 
^nding to ttie satellite service network. Alternatively, 
ttiey could have a national prefix followed by a regional 
code assigned to flie satellite servfce. 

» Calls between one mobile user and anottier are 
earned out by directing the signal via a first satellite link 
down to the active earth station node of the first mobile 
user, via the ground network to the active earth station 
node of the second mobile user (which may be. but is 

ss not necessarily, the same as that of the first) and then 
via a second satellite link (which may, but does not need 
to be via the same satellite) to the second mobile user 
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Rrst Embodiment 

Ftgure 8 shows in greater detail the signal flow 
through the elements of the mobile terminal of Figure 2. 
Signals received from the aerial 31 are RF demodulated 
by RF mcxlem 32 and supplied to the processor circuit 
37 which Is arranged, when in enciphering mode, to 
decipher the received data using, for example, the A5 
algorithm in accordance with a deciphering key supplied 
from the SIM 35. The deciphering key is referred to as 

The deciphered bit stream Is then passed to a 
channel codec 30b which performs error correcting 
decoding and the error corrected speech signal is sup- 
plied to low bit rate codec 30a which includes a digital to 
analog converter, the analog output of which is supplied 
to loudspeaker 34. 

Speech from the microphone 36 is supplied to the 
low bit rate codec 30a which includes an analog to dig- 
ital converter, and the resulting low bit rate speech sig- 
nal is encoded by the channel codec 30b to include 
error protection. The error protected bit stream is then 
encrypted, when In enciphering mode, by the control cir- 
cuit 37 and the encrypted bit stream is supplied to the 
RF modern 32 for transmission from the aerial 31 . 

Referring to Figures 9, 10 and 11, the process of 
setting up the enciphered mode of communication will 
now be described in greater detail. 

During a communication session between two user 
terminals 2a.2b. a user of one or both terminals elects 
to continue the conversation in encrypted form. Accord- 
ingly, referring to Rgure 10, in step 1002 the invoking 
party enters a sequence of key strokes from the key- 
board 38, or operates on a special key which is recog- 
nised t>y the processor 37 as an instruction to invoke 
security, and accordingly the processor 37 transmits, in 
step 1002. a signal to invoke enciphering on an inband 
or associated control channel. 

Referring to Figure 1 1 . at the earth station 6. in step 
1 102 the privacy request signal is received and in step 
1 104 the signal is sent to the central database station 
15 together with the identity codes indicating the identi- 
ties of the terminals 2a and 2b. and to the second user 
terminal 2b. 

At the second user terminal 2b. receipt of the pri- 
vacy signal occurs in step 1002 of Rgure 10. 

Referring to Figure 12. at the central database sta- 
tion the privacy signal is received in step 1202. 

In step 1204. the controller 58 of the database sta- 
tion 1 5 accesses the memory 54 and reads out the indi- 
vidual enciphering key stored for the first mobile 
terminal 2a. and the key Kt, stored for the second mobile 
terminal 2b. 

In step 1206. the controller 58 generates a pseudo 
random number (RAND). 

In this embodiment, the keys and Kj, are each 
128 bit binary numbers and the random number RAND 
Is another 128 bit binary number. 



In step 1208. the controller 58 calculates first and 
second partial keys Kg. Kp^. The calculation of the first 
partial key is illustrated in Figure 15: this calculation 
comprises generating a 128 bit number each bit of 
5 which conprises the exclusive OR function of the bits in 
corresponding positions of the second terminal key 
and the random number RAND. Thus, the second par- 
tial key is given as follows 

'0 Kpa = K^ + RAND 

(where *i- Indicates a binary addition operation). 

The second partial key Kpb is calculated in exactiy 
the same way. by performing a bit-wise exdusive-OR 

IS operation between the first terminal key Kb and the ran- 
dom number RAND, as shown in Rgure 15. 

In step 1210 of Figure 12, the central database sta- 
tion 1 5 transmits the first partial key (KpJ, to the first ter- 
minal 2a and the second partial key (Kpb) to the first 

20 terminal 2b. via the sigoalling network 60. and the 
respective earth stations 6b and 6a and satellites 4b 
and 4a. 

At this stage, each individual terminal key has been 
"scrambled" by the binary addition operation with the 

25 random number RAND. An unauthorised eavesdropper 
who monitors one of the partial keys cannot learn tiie 
terminal key from rt because there are two unknowns: 
the random number RAND and the terminal key. Even 
an unauthorised eavesdropper who monitors both par- 

30 tial keys cannot derive either the random number or one 
of the terminal keys, because he has only two data from 
which to derive three unknowns: the best that can be 
derived is the difference between the two terminal keys, 
which is of no value. 

35 Refemng now to Figure 1 1 . in step 1 1 06 each earth 
station receives tiie partial key and fbn(vards it to the 
mobile terminal in step 1 108. 

Refen-ing to Figure 10. in step 1004. each of the 
mobile terminals (2a. 2b) receives a corresponding par- 

40 tial key (Kp^. Kpb). In step 1006. the partial key is trans- 
mitted via the card reader 33 to the SIM 35. 

Refemng to Figure 13. in step 1302. the SIM 
receives the partial key and In step 1304 the SIM reads 
the terminal key from within the memory 35b. in step 

45 1306. the SIM processor 35a recovers the binary 
number RAND by conparlng the stored terminal key Kg^ 
from the partial key Kp^. to generate a new 128 bit 
binary number. The comparing step Is carried out by 
exdusive-ORing Kp^ and K^. Thus, the SIM processor 

50 computes a code K^ where 

«K3 + (RAND)-K3 
= (RAND) 

55 

In step 1308. the SIM 35 supplies KR s (RAND) the 
card reader device 33 to the terminal processor 37. The 
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code KR is used as an enciphering key for data to be 
transmitted. 

Likewise, at the second terminal 2b. the value of 
Kr B (RAND) is computed by subtracting the stored 
value Kb in the SM of the terminal from the second par- 
tial key Kpb. i.e. 



= Kb + (RAND) -Kb 
« (RAND) 

Thus, each terminal 2a, 2b. calculates the same enci- 
phering key KRa(RAND). 

Referring back to Figure 10. in step 1008. the termi- 
nal processor 37 receives the encryption key Kr and in 
step 1010 the terminal 37 switches to encryption mode. 
Thereafter, at step 1012, the processor 37 functions to 
encrypt the bit stream from the codec 30 prior to RF 
modulation and transmission, and to decrypt the corre- 
sponding bit stream from the RF modem 32 prior to sup- 
ply thereof to the codec 30 using the key Kr. 

The encryption algorithm may be any suitable algo- 
rithm and may be openly known, since the encryption 
key Kr itself is seaet. The encryption algorithm is con- 
veniently the A5 encryption algorithm used in GSM 
handsets and described in the above referenced Rec- 
ommendations. 

Thus, to recap, as shown in Figure 9. in this embod- 
iment each terminal 2 has an associated unique termi- 
nal key which IS stored in the SIM 35 held within the 
terminal and in the central database station 15. The 
enciphering key Kr used is a function of the random 
number (RAND) generated in the remote database sta- 
tion 1 5 which distributes it to 2a, 2b in a masked form, in 
the partial keys Kp^, Kpb. 

Transmitting the terminal keys In masked form pre- 
vents an eavesdropper from gaining access to either 
terminal key. By changing the masking on each session 
operation namely by generating a continually changing 
sequence of pseudo-random numbers (RAND), an 
eavesdropper cannot learn the masking function over 
time. 

Nor is it possible for either terminal or SIM to work 
out the other's terminal key. since this is masked even 
from the terminals themselves. 



culates the random number in step 1406 (as described 
in relation to step 1206). then calculates the first partial 
key Kpa in step 1408 (as described in relation to step 
1208).and then sends the first partial key in step 14io 
5 (as desaibed in relation to step 1210). 

After these operations, any locally stored copies of 
Ka and Kpa are erased. Then, in step 1414. the proces- 
sor 58 accesses the second terminal key Kb. calculates 
the second partial key Kp^ (step 1416). sends the sec- 
'0 ond partial key (step 1418). and erases the second par- 
tial key and second terminal key (step 1420). 

Thus, in this embodiment, access to the two partial 
keys and terminal keys is separated in time, reducing 
the possibilities for eavesdropping or fraudulent use of 
75 the database station 1 5. 

It will be apparent that access to the two partial 
keys and/or terminal keys could be separated in other 
ways; for example, by sending the two terminal keys to 
physically separate devices and then sending the ran- 
20 dom number to each of tbfi devices for combination 
there with the terminal keys. 

Rather than sending the same random number to 
two different devices, for additional security, two identi- 
cal, in-step. random number generators may be pro- 
25 vided at two different locations, to which the two 
terminal keys are sent. Thus, access to the two terminal 
keys and/or partial keys may be separated physically as 
well as. or instead of. in time. 

30 Third Embodiment 



Second Embodiment 

In a second embodiment, security is further 
improved by reducing the opportunities for unauthorised 
tampering at the central database station. The second 
emtKxJiment works substantially as the first except ttiat. 
as shown in Figure 14. instead of steps 1204 to 1210 of 
Figure 12 being performed, steps 1404 to 1420 are per- 
formed. 

Accordingly, after step 1202, the processor 58 first 
accesses the first terminal key Kg in step 1404, then cal- 



In this embodiment, security is further increased by 
enciphering each of the partial keys Kp^. for transmis- 
sion. Although it would be possible to use a common 
35 cipher, this would be undesirable since eavesdroppers 
with access to the common cipher (e.g. other authorised 
users of the privacy service) might be able decipher the 
cipher. 

Equally, it is prefered not to use an air interface 
^ cipher of the type known in the GSM system because 
this would be open to interception in the fixed part of the 
netwak. 

Accordingly, in this embodiment, the SIM 35 stores 
a decryption algorithm (which may convenientiy be the 
45 AS algorithm used in GSM systems) and the database 
station 15 is arranged to execute the con-esponding 
encryption algorithm, 

Refemng to Figure 17a. in this embodiment the 
process of Figure 12 of the first embodiment is modified 
so by the inclusion of a step 1209. between steps 1208and 
1210. In which each partial key is enciphered using the 
terminal key of the terminal to which it will be sent and is 
transmitted in enciphered form. 

At each terminal, refemng to Rgure 17b, in tfiis 
55 embodiment tiie SIM processor 35a performs an addi- 
tional step 1305 between steps 1304 and 1306. In step 
1305. the received partial key is decrypted using ttie ter- 
minal key. prior to calculating the ciphering key. 
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Thus, in this embodiment additional security is pro- 
vided by enaypting the transmitted partial keys and 
conveniently, the encryption makes use of the terminal 
key of the destination terminal, so to avoid the need to 
store further encryption data. 

Obviously, however, other forms of encryption are 
possible: in particular, nwre sophisticated encryption 
algorithms in which an additional random number is 
also sent would be possible. 

Fourth Embodiment 

In this embodiment, the principle of the first embod- 
iment is utilised, in combination with the air interface 
encipherment and authentication system presence in 
OSM compatible networks and specified in the above 
GSM recommendations! 

Referring to Figure 14. the security features are 
applied in the following order: 

Authentication (step 2002); Air-Interface encryption 
(step 2004); End-tO'End enayption (step 2006). 

The first two steps are as in existing GSM networks 
and the third is as described above as in relation to the 
first embodiment. The process will now be described in 
more detail. 

Referring to Figure 19a. the functions performed by 
the handset processor 37 and SIM 35 will be described 
as separate functional blocks: each functional block 
could, of course, be implemented by a separate micro- 
processor or digital signal processor (DSP) device but in 
this embodiment, in fact, only one such processor 
device is present in the handset and one in the SAN 35. 

Referring to Figure 19a. signals received from the 
antenna 31 and demodulated by the RF modem 32 are 
passed through a first enciphering/deciphering stage 
372 ananged to apply the AS algorithm known from 
GSM in accordance with an air interface enciphering 
key Kc. and a second enciphering/deciphering stage 
374 arranged to apply a second deciphering algorithm 
(conveniently, again, the A5 algorithm used in the GSM 
system and described in the above Recommendations) 
deciphering in accordance with an end-to-end encipher- 
ing key Ka The deciphered bK stream is thereafter 
supplied to the codec 30. 

Similariy. the speech bit stream from the codec 30 
passes through the two endphering/dedphering stages 
372.374 in the reverse order; for clarity, the signal path 
has been omitted from Figure 19a. 

Within the SIM 35 Is located a terminal key storage 
register 352 storing the terminal key for the terminal, 
in this case for the terminal 2a. The terminal key stor- 
age register 352 is connected to supply the terminal key 
Ka to a signature calculation stage 354. arranged to cal- 
culate a "signed response" number (SRES) used to 
authenticate the terminal, in accordance with the A3 
algorithm described in the above mentioned GSM Rec- 
ommendations and used in GSM systems. The 
response calculation stage 354 is also connected, via 



the card reader device 33. to receive a random number 
(RAND1) from the unendphered bit stream output from 
the RF modern 32. 

The terminal key register 352 is also connected to 

5 supply the terminal key Ka to a first key generation stage 
356, which is also arranged to receive ttie random 
number (RAND1) and to calculate therefrom an air 
interface endphering key Kc in accordance with the AS 
algorithm described in the above GSM Recommenda- 

10 tions and used in GSM systems. The key thus calcu- 
lated is supplied, via the card reader device 33. to the 
first (air interface) endphering/dedphering stage 372 of 
the terminal processor 37. 

The terminal key register 352 is also connected to 

15 supply ttie terminal key to a second key generation 
stage 358. which is arranged to generate an encipher- 
ing key Kr for end-to-end encryption (by an exclusive 
OR function as described in the first embodiment) utilis- 
ing the terminal key Kg and the partial key Kpa which it 

20 is connected to receive (^a the card reader device 33) 
from the deciphered output of the first (air interface) 
enciphenng/deciphering stage 372 of the terminal proc- 
essor 37. 

The end-to-end enciphering key thus calculated is 

25 supplied to tiie second (end-to-end) endphering/ ded- 
phering stage 374 of the terminal processor 37. . 

Referring to Figure 15b. the central database sta- 
tion 15 comprises, in this embodiment, a random 
number generator 582 arranged to generate, on each 

30 occasion of use. a new binary 128 bit number (RANDI) 
in a random sequence; a store 54 storing the terminal 
keys Kj; a key generation stage 584 which is connected 
to receive a terminal key from the store 54. and the ran- 
dom number (RANDI). and to calculate therefrom an air 

35 interface enciphering key Kc in accordance with the A8 
algorHhm described in ttie GSM recommendations and 
used in GSM systems; and a signature calculation 
stage 586. which likewise is connected to receive tiie 
ternriiruU key and the random number (RANDI). 

40 arranged to calculate the signed response number 
(SRES) in accordance with the A3 algoritiim described 
in the above mentioned GSM Recommendation and 
used in GSM systems. 

The outputs of tiie random number generator stage 

45 582. signed respohse generator stage 586 and key gen- 
eration stage 584 are connected to the signalling circuit 
56 for transmission to the earth stations 6. 

Referring to Figure 19c. each earth station 6 com- 
prises (within the database 48) a triplet register 482 

so arranged to store a predetermined number (e.g. 5) of tri- 
plets each comprising a random number, a correspond- 
ing SRES and a con-esponding air interface enayption 
key Kc. supplied via the signalling circuit 60 from the 
database station 15. 

55 On each occasion when a mobile terminal 2 regis- 
ters with the eartii station 6. the earth station requests 
the supply of the predetermined number of triplets from 
the central database station 15. which accordingly gen- 
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erates the predetermined number of triplets and trans- 
mits them for storage in the registers 482 via signalling 

channel 60. 

Also provided within the earth station 6 is a compa- 
rator 282 coupled to the triplet register 482 and to the air 
interface components 24. 26 of the earth station 6. and 
arranged to compare a signed response (SRES) 
number received from a mobile terminal 2 with a signed 
response stored in the register 482. and to indicate cor- 
respondence (or absence thereof) between the two 
numbers. If the two numbers do not correspond, the 
user is not authenticated and service is discontinued by 
the control unit 28. 

Rnally, the earth station 6 comprises an air inter- 
face encryption stage 284 arranged to encipher and 
decipher in accordance with the AS algorithm (known 
from GSM) making use of an air interface enciphering 
key Kc supplied from the triplet register 482. 

In the enciphering direction, the air interface enci- 
phering/deciphering stage 284 receives an input from 
the codec 50 (Figure 3) and delivers its output to the air 
interface components 24,26: whereas in the decipher- 
ing direction the enciphering/deciphering stage 284 
receives its input from the air interface conponents 24. 
26 and delivers its output to the codec 50. 

The operation of this embodiment will now be 
described in greater detail with reference to Figures 16a 
to 16d. In Figures 20 to 23. steps of the processes of 
Figure 10 to 13, which will not be discussed further in 
detail, are incorporated. 

As in Figure 10. a request for privacy is initiated by 
one of the parties and a privacy request signal is trans- 
mitted from the terminal 2a. 

Following receipt (step 1102) of the privacy signal 
at the earth station 6a and forwarding thereof (step 
1104) to the database station 15. referring to Rgure 
16c. steps 1202 and 1204 are performed to derive the 
terminal keys of the two terminals. 

Then, in step 1 205, a test is performed to determine 
whether both subsaibers are authorised to use end-to- 
end encryption. If so, steps 1206 to 1210 of Figure 12 
are performed. Subsequently, or if not. the database 
station 15 proceeds to step 1212. in which it transmits a 
signal to the earth station(s) 6a.6b serving the two ter- 
minals 2a.2b to instruct them to perform a terminal 
authentication check and to commence air Interface 
encryption. 

Referring back to Figure 21. each earth station 6. 
on receipt of the instruction signal and partial key (step 
1110), sends an authentication inten'ogation message 
(step 1112) which includes the next random number 
RAND1 obtained from the triplet register 482. Addition- 
ally, as in the GSM system, a key number may be trans- 
mitted for further verification. 

Referring back to Figure 20. on receipt of the 
authentication request Tnessage (step 1014) the ran* 
dom number (RAND!) is extracted and sent to the SIM 
35 (step 1016), 



Refen-ing to Figure 16d. at the SIM 35. on receipt of 
the random number RAND1 (step 1310). the SIM proc- 
essor 35a looks up the terminal key K^. (step 1312) and 
calculates the signed response (SRES) using the A3 
5 algorithm (step 1314). 

In step 1 3 1 6, the SIM processor 35a calculates the 
air interface enciphering key Kc using the random 
number (RAND1) and the terminal key K^. In step 1318. 
the SIM 35 transmits the signed response number 
10 (SRES) and the air interface enciphering key (Kc) to the 
terminal processor 37 via the card reader device 33. 

SiAsequently. the SIM 35 executes the process of 
Figure 13. 

Referring to Figure 20. on receipt of the signed 
15 response number (SRES) in step 1018. the terminal 
processor 37 transmits the SRES number to the earth 
station 6a (step 1020), 

Referring to Figure 21. the earth station 6 receives 
the signed response number (1114) and compares it 
20 with the stored signed response number held in the tri- 
plet register 482 (step 1116). 

If the two do not match, the call is terminated (step 
1117). Alternatively, further attempts at authentication 
may be made if desired. 
25 If the Signed response received from the mobile ter- 
minal 2 matches the stored signed response In step 
1116. the earth station 6 reads the enciphering key K^. 
stored in the triplet register 482 corresponding to the 
signed response just received, and (step 1118) com- 
30 mences enciphering all future traffic to. and deciphering 
all future traffic from, the mobile terminal 2 using the AS 
algorithm together with the enciphering key Kg. As is 
conventional in GSM systems, the frame nurrtoer may 
also be used as an input to the endphering algorithm. 
35 The earth station 6 thereafter returns to step 1 108 
of Figure 1 1. to send the partial key Kp^ received from 
the database station 15 to the terminal 2a. but in this 
embodiment this takes place in enciphered form. 
Returning to Figure 16a. on receipt of the air inter- 
40 face encryption key Kc (step 1 022) from the SIM 35. the 
terminal processor 37 starts the enciphering/decipher- 
ing mode in which all traffic received from the air inter- 
face modem 32 is deciphered and all trafffc transmitted 
to tiie air interface modern 32 is enciphered using the 
45 AS algoritiim and the air interface enciphering key Kc: 
where the earth station 6 additionally makes use of the 
frame number, the terminal 2 likewise does so. 

The process performed by the tenninai processor 
37 of terminal 2a (in this example) then returns to step 
50 1004 of Figure 10. to receive (in encrypted form), 
decrypt and use the partial enciphering key Kp^ 
received from the eartii station 6. A corresponding proc- 
ess is performed for the terminal 2b. 

Although the above description assumes that nei- 
55 ther terminal has recently been autiienticated. and that 
neither terminal Is already in air interface enayption 
nxxJe. it will be understood that this need not be the 
case. If either terminal is already applying air interface 
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encryption, then the corresponding steps described 
above to set up authentication and air interface enci- 
phering are not pertbrmed again. 

In the above embodiment, additional safeguards 
may be provided: for example, to initiate secure commu- s 
nications. the terminal user may be required to input a 
PIN code for matching with data held on the SIM. 

It will be understood that, where the invention is 
practised tn a GSM*compatibie system or the like, the 
SIM 35 will contain further information in the form of the io 
international mobile subscriber identity number (IMSI). 
and optionally lists of phone numbers for speed dial or 
other purposes. 

Conference Calls is 

The encryption scheme according to the invention 
has the significant advantage that ttie common encryp- 
tion/decryption code Kr that is formed in each of tine ter- 
minals 2a. 2b consists of the random number (RAND) 20 
supplied from the data base station 15. Thus, in the 
method according to the invention, the length of the 
encryption/deayption code Kp is independent of the 
number of terminals used during ttie call. This has impli- 
cations for conference calls as will now be explained 25 
with reference to Figure 24. This Figure corresponds 
generally to Figure 9 but illustrates more than two user 
terminals, for use in a conference call. In Figure 24. 
three terminals are shown, namely terminal 2a. 2b and 
2n which each form a respective communication link 30 
witii a earth station 6a. 6b. and 6n. 

In order to set up the conference call, partial keys 
Kpa, Kp5 and Kpn are t-ansmitted from the centi-al data- 
base station 15 to each of the earth stations 6a. 6b and 
6n and the keys are then transmitted to the respective 3S 
user terminals 2a. 2b. 2n. The partial keys are then 
decoded at the user terminals respectively in tiie man> 
ner previously described such that each terminal devel- 
ops the common encryption code Kf, s (RANG) . The 
terminals can then use the common code Kp to encrypt 40 
and decrypt data for tiie conference call between the 
three user terminals. It will be appreciated that although 
three terminals are shown, much larger numbers could 
be used for the conference call. This contrasts with tfie 
method desaibed in our prior GB 961 141 1.1 in which 4s 
each terminal needs to be provided with data based on 
the terminal key codes for all the other terminals used 
for the call and so when many terminals are used in a 
conference call, the encryption code becomes 
extremely long and cumbersome. so 

One or more additional terminals may join in a call 
whilst it is in progress, eitiier to expand a normal two 
party call into a three party conference call or to 
increase the number of parties in a conference call. To 
this end, the joining party is sent a masked version of ss 
the code RAND from the base station 15 together with 
the frame number for the data transmission that is going 
on between the parties, so that the joining party can use 



the locally held A5 algoritm to compute tiie current value 
of tiie encryption key and join in the transmitted data 
fk}w. 

The ability to set up secure conference calls 
between many user terminals has particular application 
for secure closed user group (GUG). To this end. tiie 
database station 15 may include a list of members of a 
closed user group which are permitted to correspond 
with otiier members in a conference call or individually 
For example, a closed user group may comprise armed 
services personnel or emergency services personnel. 
In a nxxiification. more than one database station 15 is 
provided and a supervising database station (not 
shown) may be used to in order to coordinate more than 
one GUG to allow tiiem to share facilities, for example 
on a temporary basis so ttiat for a particular project e.g. 
a combined service operation, the CUGs may commu- 
nication with each ottier over conference calls or individ- 
ually in a secure, encrypted manner. In another 
modification, a single dajabase station 15 is used and. 
for the temporary period of cooperation, all user termi- 
nals are provided with reprogrammed SIM cards to 
allow secure communication within the temporary 
group. 

Other Embodiments 

Many modifications and alternative to the previ- 
ously described embodiments will be apparent to the 
skilled person and are wittitn tfie scope of the present 
invention. 

For example, in practice, duplex ti-ansmission 
occurs between, the user terminals on different chan- 
nels. For additional security different individual codes 
Kr. may be used for each of the duplex channels, pro- 
duced by means of separate partial keys transmitted 
from the database station 15. using different values of 
the pseudo random number (RAND) for each channel. 

The numbers of satellites and satellite orbits indi- 
cated are purely exemplary. Smaller numbers of geosta- 
tionary satellites, or satellites in higher altitude orbits, 
could be used; or larger numbers of low earth orbit 
(LEO) satellites couki be used. Equally, different num- 
bers of satellites in intermediate orbits couki be used. 

Although TDMA has been mentioned as suitable 
access protocol, otiier access protocols can be used 
such as code division multiple access (GDMA) or fre- 
quency division multiple access (FDMA). 

Whilst the principles of the present invention are 
envisaged above as being applied to satellite communi- 
cation systems, the use of ttie invention in other com- 
munications systems e.g. digital terrestrial cellular 
systems such as. but not limited to GSM. is also possi- 
ble. 

Although, for the sake of convenience, the term 
"mobile" has been used in tiie foregoing description to 
denote the terminals 2. it shouki k^e understood ttiat tiiis 
temfi is not restricted to hand-hekj or handportable ter- 
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minals. but includes, for example, terminals to be 
mounted on marine vessels or aircraft, or in terrestrial 
vehicles. Equally, it is possible to practice the invention 
with some of the terminals 2 being completely immobile. 

Instead of providing a single central database sta- 
tion 15 storing details of ail terminal equipment 2, simi- 
lar details could be stored at the home gateway 8 for all 
germinal equipment to register with that home gateway 

Whilst in the above described embodiments the 
central database station 15 acts as a Home Location 
Register (HLR) of a GSM system, and may be provided 
using commercially available HLR hardware, and the 
databases within each earth station 6 act in the manner 
of visiting location registers (VLRs) and may likewise 
use commercially available GSM hardware, it will be 
understood that the infamation relating to different 
users could be distributed between several different 
databases. There could, for Instance, be one database 
for each closed user group, at physically different posi- 
tions. 

Whilst in the fourth embodiment above the same 
terminal key Kj is used for secure end-to-end encryption 
as is used for air interface encryption, it will be clear that 
this is not necessary; each terminal could store two dif- 25 
ferent terminal keys, one for air interface encryption and 
one for end-to-end encryption. In this case, a separate 
authentication centre database could be provided for 
end-to-end encryption key distribution to that which is 
used in conventional air interface enayption. 30 

Although in the foregoing embodiments, the same 
(AS) cipher algorithm used for the air interface encryp- 
tion of th9 GSM system is used in end-to-end encryp- 
tion, it will be apparent that a different dpher could be 
used; in this case, terminals would include two different 35 
enciphering stages for use in the fourth embodiment. 
Further, where multiple closed user groups are pro- 
vided, each closed user group could use a different 
cipher. 

In the foregoing, the gateways 8 may in fact be 40 
comprised within an ISC or exchange or mobile switch- 
ing centre (MSG) by providing additional operating con- 
trol programmes performing the function of the gateway 

In the foregoing, dedicated ground networks lines 
have been described, and are prefened. However, use 4s 
of PSTN or PLMN links is not excluded where, for exam- 
ple, leased lines are unavailable or where temporary 
additional capacity Is required to cope with traffic condi- 
tions. 

It will understood that the stores within the gate- so 
ways 8 need not be physically co-located with other 
components thereof, provWed they are connected via a 
signalling link. 

Whilst, in the foregoing, the term -global" is used 
and it is preferred that the satellite system should cover 55 
all or a substantial =part of the globe, the Invention 
extends also to similar systems with more restricted 
coverage (for exanple of one or more continents). 
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Whilst the foregoing embodiments describe duplex 
communications systems, it will be dear that the inven- 
tion is equally applicable to simplex (one way) transmis- 
sion systems such as point-to-multipoint or broadcast 
systems. 

Whilst the preceding, described embodiments are 
direct transmissfon systems, it will understood ttiat tiie 
invention is applicable to store-and-fon^vard communica- 
tions systems in which one party transmits a message 
' for storage and subsequent later transmission to the 
other party. 

One example of such a store-and-forward system is 
e-mail, for example of the type provided by Com- 
puserve'" or MCr". Another example is the Internet, 
which, as is well known, consists of a number of host 
computer sites interconnected by a backbone of high 
speed packet transmission links, and accessible for file 
ti-ansfer from most points In the world via public tele- 
communications or other networks. 

In an embodiment of thjs type, a central database 
station 15 need not distribute keys to both terminals at 
the same time; instead, distributfon of the partial key to 
tiie transmitting terminal may take place at the time of 
transmission of a file of data for storage in encrypted 
form, and distribution of a partial key to the receiving ter- 
minal may take place substantially later, for example, at 
the next occasion when tfie receiving terminal is con- 
nected to the network and/or the next occasion when 
the receiving terminal wishes download the file from 
intermediate storage in a host computer. 

It will be understood that whilst the previously 
described embodiments concern voice transmissfon, 
the invention is applicable to the encryption of data of 
any kind and particularly, but not exclusively, to image 
data, video data, text files or the like. 

It will be understood that the geographical locations 
of the varfous components of the invention are not 
important, and that different parts of the system of the 
above embodiments may be provided in different 
national jurisdictions and the present invention extends 
to any part or component of telecommunications appa- 
ratus or system which contributes to the inventive con- 
cept. 

Claims 

A method of distributing through a communications 
network, enciphering key data to be used in 
encrypting and decrypting data at first and second 
terminals (2^. 2^ so as to provWe secure data 
transmission between the terminals through the 
network, the terminals each storing corresponding 
first and second terminal keys (K^, Kb), the method 
comprising: 

storing the first and second keys (Kg, K5) 
remotely of the terminals (2^. 2b); 
generating first and second partial keys (Kp^. 



23 



EP0 851 628 A1 



24 



Kpt^ each as a masked function of a common 
number (RAND) and a corresponding one of 
said remotely stored keys (K«. K^): 
dispatching the first partial key (Kpa) towards 
the first terminal (2^) ; and s 
dispatching the second partial key (Kpt,) 
towards the second terminal (2b). 

2. A method according to claim 1 wherein the enci- 
phering key data is to be used for encrypting and io 
decrypting data at said first and second terminals 
(2a. 2b) and at least one further terminal (2n) so as 

to provide security for concun-ent data transmis- 
sions between ail of said terminals (2^. 2^ 2^) 
through the networK the method further Including: is 

storing a further key (Kn) remotely of the termi- 
nals (2^, 2b. 2n) corresponding to the terminal 
key of the further terminal {2n); 
generating a further partial key (Kpn) as a 20 
masked function of the common number 
(RAND) and said remotely stored further key 
(Kn); and 

dispatching the further partial key (Kpn) 
towards the further terminal (2n). 2S 

3. A method according to daim 2 including causing 
the further terminal to join in data transmission 
between the terminals whilst saki transmission is in 
progress, including transmitting to the further termi- 30 
nal. timing data concerning the data transmission 
between the terminals. 

4. A method according to any preceding daim includ- 
ing generating said partial keys with said common 35 
number (RAND) only for a predetermined group 
(CUG) of said terminals (2) to provide for secure 
communication between the terminals of the group. 

5. A method of setting up a first terminal (2a) that 40 
stores an individual terminal key (Ka), to encrypt 
data to be transmitted according to a secure 
encryption code (Kr) tfirough a communications 
network to a second terminal (2Q where the data is 

to be deaypted. comprising: 4S 

receiving at the first terminal a partial key (KpJ 
dispatched thereto through the network from a 
remote location, the partial key being a masked 
function of the individual terminal key (K^) and so 
a number (RAND) for determining the encryp- 
tion code; and 

comparing at the terminal (2a)the received par- 
tial key (Kpa) and the stored key (Ka) so as to 
provide the encryption code (Kr). 55 

6. A method according to claim 5 induding encrypting 
data at ttie first terminal (2a) according to the 



encryption code (Kr). and transmitting the 
encrypted data towards the second terminal 
tiirough the network. 

7. A method of setting up a second terminal that 
stores an indivkJual terminal key (Kb), to deaypt 
data transmitted thereto according to a secure 
encryption code through a communications net- 
work from a first terminal where the data is 
encrypted, comprising: 

receiving at the second terminal a partial key 
(Kpb) dispatched thereto through the network 
from a remote location, the partial key being a 
masked function of the individual terminal key 
(Kb) and a number (RAND) for determining the 
code: and 

comparing at the terminal the received partial 
key (Kpb) and the stored key (Ka) so as to pro- 
vide data (Kr) tor decrypting data transmitted 
from the first terminal and encrypted according 
to the encryption code (Kr). 

8. A method according to daim 7 including deaypting 
data at the second terminal, transmitted thereto 
from the first terminal and encrypted according to 
the encryption code (Kr). 

9. A method according to any preceding daim 
wherein the or each said partial key (Kpa, Kpb. Kp^) 
is transmitted to the terminals (2a. 2b. 2n) over the 
air interface of a mobile communications system. 

10. A method according to daim 9 including addition- 
ally encrypting data transmitted over tiie air inter- 
face. 

11. A method according to daim 10 including perform- 
ing ttie additional encryption at each said terminal 
with the terminal key of the respective terminal and 
a predetermined algorithm. 

12. Apparatus (15) for distributing through a communi- 
cations network, enciphering key data to be used in 
encrypting and decrypting data at first and second 
terminals (2a. 2b) so as to provide secure data 
transmission between the terminals through the 
network, the terminals each storing corresponding 
first and second terminal keys (Ka. Kb), comprising: 

a data store disposed remotely of the terminals 
(2a. 2b). storing first and second terminal keys 
(Ka. Kb) corresponding to the terminal keys 
stored by the terminals respectively: 
means for generating a number (RAND); 
means for generating first and second partial 
keys (Kpa. Kpb) each as a masked function of 
the number (RAND) and a corresponding one 



45 



so 



13 



25 



EP0 851 628 A1 



of said keys (K^. K^) held in the store; and 
dispatching means operative to dispatch the 
first partial key (KpJ towards the first terminal 
(2a) and the second partial key (Kp^) towards 
the second terminal (2b). s 

13. A terminal (2a. 2b. 2n) for communicating through a 
communication network with at least one further 
terminal, comprising 

10 

means to receive a store (SIM) that stores an 
individual terminal key (KJ, 
a key generator (35a) to receive from the net- 
work a partial key (J^J comprising a masked 
function of the individual terminal key (Kg) and 75 
number (RAND) transmitted in common to said 
least one further terminal, and operative to 
compare the individual key stored in the store 
(SIM) with said partial key so as produce an 
encryption code (Kr) as a function of said 20 
number (RAND); and 

enciphering means (37) operative to encipher 
data transmitted through the network in accord- 
ance with the encryption code (Kr). 

14. A terminal according to claim 13 Including user 
operable means (38) for selectively initiating opera- 
tion of the enciphering means. 

15. A terminal accading to claim 13 or 14 operative to 30 
transmit and receive data in different channels 
through the network, wherein the enciphering 
means (37) is operative to encipher data transmit- 
ted through the network in accordance with a first 
said encryption code (Kr). and including decipher- 3S 
ing means (37) operative to dedpher data received 
through the network in accordance with a second, 
different said encryption code (Kr). 
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